OAuth2 and OpenID Connect Edit

OAuth2 and OpenID Connect are both pervasive technologies in modern identity systems. While verification of JSON web tokens issued by these systems is documented in the policy reference, the policy examples below aim to cover some other common use cases.

Metadata discovery

Rather than storing endpoints and other metadata as part of policy data, the authorization server metadata endpoint may be queried for this data.

Token verification using JWKS endpoint

Below example uses the keys published at the JWKS endpoint of the authorization server for token verification.

Key rotation

Use the keys published at the JWKS endpoint of the authorization server for token verification, with key rotation taken into account.

Token retrieval

Programmatically obtain an OAuth2 access token following the client credentials or resource owner password credential flow.